Privacy and Information Protection

Data breaches have recently been highlighted in several high profile incidents in
which private customer data was compromised, including data breaches within
the insurance industry. At Unum we consider it a high priority to earn and keep
our customers’ trust and confidence. Protecting the confidentiality of customer
information is a responsibility that we take seriously.

Existing Policies and Procedures

Unum has an integrated privacy and security approach. The privacy team
works closely with the company’s information security, physical security and
records management areas, and meets monthly with a wider, cross-functional
legal team to support the Company’s comprehensive approach to privacy and
security issues.

Unum has adopted and implemented internal privacy procedures, processes,
and controls designed to: (1) ensure the confidentiality of personal information;
and, (2) comply with state and federal privacy and security laws and regulations.
We have cross-functional frameworks that incorporate policies, procedures,
and business practices, and a fabric of technical and operational controls.
For example, among the measures we have implemented are policies and
procedures in compliance with various states’ laws regarding the treatment
and confidentiality of personal information, its notification requirements in
the event of an electronic data breach, and its requirements for the collection,
use and disclosure of Social Security numbers.

Sharing Information

We may share customers’ personal information primarily with…

People who perform insurance, business and professional
services for us

Medical providers for insurance and treatment purposes

Group policyholders for reporting and auditing

Government or legal authorities when required or permitted by law

Our practices apply to our current, former, and future customers.

The law allows us to share personal information (except health information)
with affiliates to market financial products and services. The law does not allow
customers to restrict these disclosures. When required by law, we ask customers’
permission before sharing personal information for marketing purposes.

Safeguarding Information

We have physical, electronic and procedural safeguards that protect the
confidentiality and security of personal information. We give access only to
employees who need to know personal information to provide insurance
products or services.

Education and Awareness

Privacy and information security training is provided to new hires and existing
employees on an annual basis, as well as through various types of targeted
training based on business and compliance need. Employees are required to
manage personal data responsibly and in compliance with privacy laws and
our company policies. This begins with our Code of Conduct and applies to
the following:

Personal data of our customers, business partners and employees

Details about the company’s business that are not known publicly

Non-public information that might be of use to competitors or
harmful to the company if disclosed, such as product development
or new technology

Information that suppliers, customers and claimants have entrusted to us

Risk Mitigation

Unum has an incident response plan, which is frequently updated to
ensure all steps are clear, concise and accurate. The Incident Response
Team investigates any reported unauthorized release of sensitive personal
information to determine if an information security breach has occurred. If the
Incident Response Team determines that a breach has occurred, we will take
appropriate actions to protect the impacted individuals.

We align to the regulatory and compliance requirements for reporting based
on state data security breach notification laws and, for HIPAA covered products,
to the US Department of Health and Human Services (HHS) federal laws. In
the event of a security breach, we will notify you in the most expedient time
and manner possible, without unreasonable delay, consistent with applicable
federal and state laws.